1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
| | Fix CVE-2018-6914:
https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6914
https://security-tracker.debian.org/tracker/CVE-2018-6914
Patch copied from snapshot.debian.org:
https://snapshot.debian.org/archive/debian-security/20180423T104456Z/pool/updates/main/r/ruby1.8/ruby1.8_1.8.7.358-7.1%2Bdeb7u6.debian.tar.gz
Origin: backport, e9ddf2ba41a0bffe1047e33576affd48808c5d0b
Reviewed-by: Santiago R.R <santiagorr@riseup.net>
From e9ddf2ba41a0bffe1047e33576affd48808c5d0b Mon Sep 17 00:00:00 2001
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 28 Mar 2018 14:34:14 +0000
Subject: [PATCH 2/4] merge revision(s) 62990:
Ignore file separator from tmpfile/tmpdir name.
From: SHIBATA Hiroshi <hsbt@ruby-lang.org>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@63017 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
ChangeLog | 4 ++++
lib/tmpdir.rb | 2 ++
test/test_tempfile.rb | 28 +++++++++++++++++++++++++++-
test/test_tmpdir.rb | 34 ++++++++++++++++++++++++++++++++++
version.h | 2 +-
5 files changed, 68 insertions(+), 2 deletions(-)
Index: ruby1.8/lib/tmpdir.rb
===================================================================
--- ruby1.8.orig/lib/tmpdir.rb
+++ ruby1.8/lib/tmpdir.rb
@@ -110,6 +110,8 @@ class Dir
else
raise ArgumentError, "unexpected prefix_suffix: #{prefix_suffix.inspect}"
end
+ prefix = prefix.delete("#{File::SEPARATOR}#{File::ALT_SEPARATOR}")
+ suffix &&= suffix.delete("#{File::SEPARATOR}#{File::ALT_SEPARATOR}")
tmpdir ||= Dir.tmpdir
t = Time.now.strftime("%Y%m%d")
n = nil
Index: ruby1.8/test/test_tempfile.rb
===================================================================
--- /dev/null
+++ ruby1.8/test/test_tempfile.rb
@@ -0,0 +1,37 @@
+require 'test/unit'
+require 'tempfile'
+require './ruby/envutil'
+
+class TestTempfile < Test::Unit::TestCase
+ def initialize(*)
+ super
+ @tempfile = nil
+ end
+
+ TRAVERSAL_PATH = Array.new(Dir.pwd.split('/').count, '..').join('/') + Dir.pwd + '/'
+
+ def test_open_traversal_dir
+ expect = Dir.glob(TRAVERSAL_PATH + '*').count
+ t = Tempfile.open([TRAVERSAL_PATH, 'foo'])
+ actual = Dir.glob(TRAVERSAL_PATH + '*').count
+ assert_equal expect, actual
+ ensure
+ t.close!
+ end
+
+ def test_new_traversal_dir
+ expect = Dir.glob(TRAVERSAL_PATH + '*').count
+ t = Tempfile.new(TRAVERSAL_PATH + 'foo')
+ actual = Dir.glob(TRAVERSAL_PATH + '*').count
+ assert_equal expect, actual
+ ensure
+ t.close!
+ end
+
+ def test_create_traversal_dir
+ expect = Dir.glob(TRAVERSAL_PATH + '*').count
+ Tempfile.create(TRAVERSAL_PATH + 'foo')
+ actual = Dir.glob(TRAVERSAL_PATH + '*').count
+ assert_equal expect, actual
+ end
+end
Index: ruby1.8/lib/tempfile.rb
===================================================================
--- ruby1.8.orig/lib/tempfile.rb
+++ ruby1.8/lib/tempfile.rb
@@ -79,6 +79,8 @@ class Tempfile < DelegateClass(File)
else
prefix, suffix = basename, ''
end
+ prefix = prefix.delete("#{File::SEPARATOR}#{File::ALT_SEPARATOR}")
+ suffix &&= suffix.delete("#{File::SEPARATOR}#{File::ALT_SEPARATOR}")
t = Time.now.strftime("%Y%m%d")
path = "#{prefix}#{t}-#{$$}-#{rand(0x100000000).to_s(36)}-#{n}#{suffix}"
|